-
Notifications
You must be signed in to change notification settings - Fork 0
Capability Matrix
HTTP/1.1(RFC 9110/9112)
- 请求体支持
Content-Length、库生成 chunked 与真流式上传:BodyCreateStream/RequestSetBodySource按块读取;用户手设Transfer-Encoding/TE仍安全拒绝。 - 请求 trailer:
BodyAddTrailer/RequestAddTrailer在Chunkedbody 模式下发送终止块后的 trailer 字段,并拒绝禁止字段与 CRLF 注入。 - 响应解析:状态行仅接受 HTTP/1.0、1.1;头行 ≤8 KiB、头段 ≤64 KiB、头数 ≤200;拒绝 obs-fold 折行;多个
Content-Length、TE+CL冲突 →STATUS_INVALID_NETWORK_RESPONSE。 - body 框定:Content-Length / chunked / close-delimited;无 body 状态:1xx、204、205、304,及 HEAD 响应。
- chunked:块数 ≤8192、chunk-size 行 ≤32、严格 chunk 扩展语法校验;trailer 校验并拒绝禁止字段(
Content-Length/Transfer-Encoding/Host/Authorization/Proxy-Authorization/Cookie/Set-Cookie)。 -
206 Partial Content/Content-Range提供只读解析(HttpResponse::IsPartialContent/GetContentRange);请求侧提供Range与条件请求 typed helper。绑定 RFC 9111 cache 后,Range 请求与206响应参与自动验证、切片命中和 partial 合并。 -
Content-Encoding:gzip、deflate、br、compress、zstd、dcz、aes128gcm、exi、pack200-gzip、identity;最多 2 级,反序解码。EXI 支持无外部 Schema 的四种 alignment、Options、保真项、内建类型和xsi:type/xsi:nil;Pack200 支持 Java 5–8 稳定格式及 JAR 语义重建。外部 Schema/strict EXI 返回STATUS_NOT_SUPPORTED。 -
Accept-Encoding:默认自动发送gzip, deflate, br, zstd, identity(deflate 运行时不可用则br, identity);typed preferences 支持 qvalue、identity;q=0、*;q=0、重复项拒绝,并驱动响应Content-Encodingfail-closed 校验。 -
解压炸弹防护:decoded aggregate 跟随响应/调用方容量,单级膨胀比 ≤64(
MaxDecodeExpansionRatio)。 - 中间 1xx(除 101)静默吞掉重解析;
SendFlagExpectContinue显式开启Expect: 100-continue,覆盖 100 后发送 body、final/417 不发送 body、超时后发送 body 与断连错误;自动 redirect、keep-alive 连接池复用。 - HTTP proxy:HTTPS 走 CONNECT 隧道;明文 HTTP over proxy 使用 absolute-form request target,
Proxy-Authorization只来自显式代理配置。 - HTTP/1.1 pipeline:session
EnableHttp11Pipeline=true显式开启,默认关闭;连接池按 FIFO 绑定响应,默认仅允许GET/HEAD/OPTIONS,深度和方法 mask 可配置;带 body、Expect:100-continue、redirect 重放/重排不进入 pipeline。
HTTP/2(RFC 9113 + HPACK RFC 7541)
- 连接前导 + SETTINGS 交换;客户端发 7 项 SETTINGS(含
ENABLE_CONNECT_PROTOCOL)、立即发 ACK 不阻塞等服务端 ACK。 - SETTINGS 校验:
ENABLE_PUSH != 0拒绝、ENABLE_CONNECT_PROTOCOL仅接受 0/1、窗口/帧大小越界拒绝;缺 ACK 且后续读超时 → GOAWAYSETTINGS_TIMEOUT。 - 完整帧矩阵;伪头/流控/连接专属头校验;
:status必须先于普通头。 - CONTINUATION 洪泛防护:≤64 帧、≤4 空帧(CVE-2024-27316 类)。
- 活动 stream 表 +
BeginRequest/ReceiveResponse(streamId)两阶段接口;HEADERS/DATA/WINDOW_UPDATE/RST_STREAM 按 streamId 交错分发。 -
wknet::http连接池接入 HTTP/2 stream 租约,同源 H2 连接可按本地/peer 并发上限承载多个活动请求;连接级错误广播给活动流。 - DATA 流控:连接级 + per-stream 窗口;连接级 WINDOW_UPDATE 阈值为初始窗口一半(32767);初始窗口 SETTINGS 更新会同步调整活动 stream;越界 GOAWAY
FLOW_CONTROL_ERROR。 - 1xx interim 处理(拒绝
:status 101与 interim+END_STREAM);PUSH_PROMISE 一律协议错误。 - RFC 8441 extended CONNECT:
CONNECT+:protocol: websocket需对端SETTINGS_ENABLE_CONNECT_PROTOCOL=1;wknet::websocket对wss默认自动选择该路径,可用Http11Only强制 HTTP/1.1。 - 三模式:TLS-ALPN
h2、显式 h2c prior knowledge、显式 h2c Upgrade(Upgrade 模式禁请求体、重放 101 后残留字节、用 stream 1);高层通过SendOptions.Http2CleartextModeopt-in,默认 HTTP/1.1。 - HTTP/2 请求 body 由 body source 驱动,按连接/stream 流控和 peer
MAX_FRAME_SIZE切 DATA;请求 trailers 以 final HEADERS + END_STREAM 发送并拒绝 trailer 伪头。 - 显式 per-request priority:
SendOptions.Http2Priority可在首个 HEADERS 帧携带 priority 字段;协议层支持独立 PRIORITY frame 编解码。 - 后台 PING 保活:session 通过
Http2KeepAlive.Enabled=true显式开启,默认关闭;只扫描 idle 且可复用的池化 H2 连接,ACK 超时或协议错误会关闭该 idle 连接。 - GOAWAY/RST 高层重试语义:clean GOAWAY 或
REFUSED_STREAM表示未处理 stream 时返回STATUS_RETRY,高层只对安全方法 fresh retry 一次,非幂等请求不自动重放。
HPACK:整数续字节 ≤5、Huffman(拒绝 >30 bit 码/EOS/非法 padding)、动态表大小更新仅限块首且 ≤协商值、header-list 大小按 name+value+32 计;编码端对 authorization/cookie/proxy-authorization 强制 Never-Indexed。
WebSocket(RFC 6455)
- ws/wss 握手;
Sec-WebSocket-Accept常量时间比对;permessage-deflate显式 opt-in(默认关闭),未请求/未知/非法扩展拒绝;子协议协商。 - 支持调用方提供 opening-handshake headers(如
Origin、Authorization、Cookie),拒绝库受控头(Host、Connection、Upgrade、Sec-WebSocket-*等)和非法头文本。 - HTTP/1.1 Upgrade 路径客户端帧始终掩码(每帧新随机键);RFC 8441 over HTTP/2 路径按规范发送无掩码帧;收到被掩码的服务端帧→协议错误 1002。
-
wss默认自动 offerh2,http/1.1并在协商到 h2 时使用 RFC 8441;peer 未启用SETTINGS_ENABLE_CONNECT_PROTOCOL时按 Auto 规则回到 HTTP/1.1,ws://不隐式走 h2c。 -
分片发送:
wknet::websocket::SendContinuation+SendOptions{FinalFragment},自动按帧缓冲分块;跨片增量 UTF-8 校验。 -
接收分片回调:默认聚合完整消息;显式
ReceiveOptions.DeliverFragments=true时,ReceiveOptions.OnMessage或返回式按 wire fragment 交付并暴露真实finalFragment。 - 控制帧:自动 Pong(可关)、单次接收控制帧 ≤100(超限 close 1008);文本/close payload UTF-8 校验(非法 1007);超
MaxMessageBytesclose 1009。 - close 握手:主动(发 close 后等 peer close,3s 超时)与被动(echo 后关)。
TLS 1.2(RFC 5246)/ 1.3(RFC 8446)
- 客户端只走单版本路径(1.3 在范围内优先);无握手内自动降级——失败时分类为
VersionNegotiation由上层显式重连 1.2。 - 下游 cipher/group/sig 分「默认启用 / 可选 / 兼容(Legacy)」三档(详见 TLS 与证书)。默认套件为 ECDHE-RSA/ECDSA 的 AES-GCM 与 ChaCha20-Poly1305 + TLS1.3 三件套;默认群 X25519/P-256/P-384/P-521;默认签名 RSA-PSS/ECDSA/Ed25519/Ed448。
- TLS1.2 强制 Extended Master Secret、安全重协商指示、CBC 必须 Encrypt-then-MAC,否则失败。
- TLS1.3:HelloRetryRequest(binder 重算)、KeyUpdate(仅在服务端请求时被动 rekey)、NewSessionTicket、record padding、
signature_algorithms_cert、OCSP stapling 解析。 - 会话恢复绑定 policy 身份 + SNI + ALPN + cipher + 版本(1.2/1.3 各最多 4 条缓存)。
- 记录层:AES-GCM(1.2/1.3)、AES-CBC EtM(MAC 常量时间先验后解)、ChaCha20-Poly1305;序列号溢出保护;多项抗洪泛记录上限。
证书校验(在扩展内核栈上运行)
- 链 ≤8;有界候选路径搜索按 subject/issuer、AKI/SKI 与签名可验证性选择链,覆盖多中间与交叉签名;逐链签名验证、有效期、basic constraints/pathLen、KU(keyCertSign)、EKU serverAuth(可选)、Name Constraints、certificatePolicies、信任锚。
- 解析期拒绝重复扩展与未知 critical 扩展。
- 主机名:SAN dNSName 通配仅限单个最左标签;IP literal 只匹配 iPAddress SAN;从不回退 CN(CN 仅用于 name-constraint);IDNA/punycode。
- 撤销:纯离线、证据驱动(OCSP stapling、静态条目与 provider callback);OCSP/CRL DER evidence 会校验签名、issuer/serial、thisUpdate/nextUpdate 与状态;
OnlineRequired/RequireRevocationCheck下查不到或证据无效 → fail-closed(STATUS_TRUST_FAILURE)。 - SPKI pin:对已配置 pin 的主机强校验叶证书 SPKI;未配置 pin 的主机 fail-open。
- mTLS:私钥不入库,经
TlsClientCredential.Sign回调签名。
密码学:SHA-1/256/384/512、HMAC、HKDF;AES-GCM(CNG)、ChaCha20-Poly1305 / AES-CCM / X25519 / X448 / FFDHE2048-8192 为内核内软件实现;NIST 曲线走 CNG ECDH;签名验证 RSA-PKCS1/RSA-PSS(salt=摘要长)/ECDSA;最小 RSA 模数 2048 位;FFDHE 公钥范围校验;密钥材料统一 RtlSecureZeroMemory 清零。
| 能力 | 开启方式 / 说明 |
|---|---|
Expect: 100-continue |
SendFlagExpectContinue 显式开启 |
| HTTP/1.1 pipeline | session EnableHttp11Pipeline=true;Http11PipelineMaxDepth / Http11PipelineMethodMask 可配置,默认仅 GET/HEAD/OPTIONS
|
| h2c prior knowledge / Upgrade |
SendOptions.Http2CleartextMode 显式开启;默认不走明文 HTTP/2 |
| HTTP/2 后台 PING 保活 | session Http2KeepAlive.Enabled=true;默认关闭 |
| HTTP/2 per-request priority | SendOptions.Http2Priority |
| WebSocket permessage-deflate |
ConnectConfig.PerMessageDeflate.Enable=true;默认不协商 |
| TLS1.2 RSA kx / CBC / SHA-1 |
TlsPolicy.Profile=CompatibilityExplicit 后分别开启 EnableTls12RsaKeyExchange、EnableTls12Cbc、EnableTls12Sha1Signatures
|
| TLS1.2 真重协商 |
CompatibilityExplicit + EnableTls12Renegotiation,次数由 MaxTls12Renegotiations 限制 |
| TLS1.3 0-RTT | 连接选项 EnableEarlyData + EarlyDataReplaySafe,且 ticket 通告 max_early_data_size
|
| TLS1.3 post-handshake client auth |
EnablePostHandshakeClientAuth;开启后经 mTLS 回调签名,私钥不进入库 |
| 强撤销要求 |
RequireRevocationCheck;查不到调用方提供或 provider 返回的可验证 OCSP/CRL DER 证据时 fail-closed |
这些是有意的安全或协议策略,不表示缺少实现。
| 行为 | 处理 |
|---|---|
用户手写请求 Transfer-Encoding / TE
|
拒绝;请求 framing 由库生成和校验 |
| HTTP/1.1 request trailer | 仅允许 chunked 请求路径 |
HTTP br Transfer-Encoding |
拒绝;br 仅作为 Content-Encoding 支持 |
HTTP/2 PUSH_PROMISE
|
server push 禁用,收到后视为协议错误 |
| WebSocket 服务端返回未请求扩展 | 拒绝;permessage-deflate 仅显式启用后协商 |
| WebSocket 握手 redirect / 401 / 407 | 不自动跟随或认证,返回 STATUS_NOT_SUPPORTED
|
| TLS 1.3 到 TLS 1.2 | 不做握手内自动降级;只有可验证的版本协商证据才允许上层显式重连 1.2 |
| 证书主机名 | IP literal 只匹配 iPAddress SAN;域名不回退 CN |
| HTTPS redirect 到 HTTP | 默认拒绝降级 |
| RFC 9111 cache | 提供显式内存内内核缓存 API;支持 fresh hit、验证、Vary、private/shared 规则、unsafe method 失效、Range/206 partial 合并 |
这些能力当前不提供;已经实现但默认关闭的能力只记录在上一节,不放在这里。
| 能力 | 当前结论 |
|---|---|
| HTTP 入站 request parser / server role | 非目标;当前项目定位为客户端协议栈 |
| 磁盘持久化 HTTP cache | 非目标;RFC 9111 cache 为显式内存内 NonPaged 对象,不跨重启持久化 |
| HTTP/2 复杂本地 priority tree 调度 | 非目标;不维护本地依赖树,不实现带宽调度器 |
除 permessage-deflate 外的 WebSocket extensions |
非目标;不协商其它扩展 |
| 在线 OCSP/CRL 抓取 | 非目标;调用方通过外部 trust/cert/revocation 数据或已缓存条目驱动强撤销判定 |
| HTTP/3 / QUIC | 非目标 |
- 传输层主路径使用 WSK;TLS、HTTP、证书校验按内核自实现路线推进。
- 密码学优先使用内核态 CNG/BCrypt;ChaCha20-Poly1305、AES-CCM、X25519、X448、FFDHE、Ed25519/Ed448 验签等由内核内软件实现补齐。
- 不把 WinHTTP、WinINet、SChannel 作为内核主路径。
- 库层不硬编码系统 CA;信任锚、CA 包、撤销缓存和 pin 由调用方显式提供。
-
Redirect:301/302 仅 POST→GET;303 除 HEAD 外→GET;307/308 保留方法和 body;跨源清理
Authorization/Cookie/Proxy-Authorization;拒绝 HTTPS→HTTP 降级。达到最大跳数(默认 10)时不报错,直接返回该 3xx 响应。 -
Stale 重试:仅
GET/HEAD/OPTIONS,且复用连接、ReuseOrCreate、失败状态属连接关闭族/STATUS_RETRY/STATUS_IO_TIMEOUT时,以ForceNew重试恰好一次。 -
连接池:close-delimited 与 101 响应不回池;
NoPool从不挤掉活跃连接,ForceNew/ReuseOrCreate会驱逐空闲槽。 -
IRQL:同步 HTTP/WS/TLS/证书路径要求
PASSIVE_LEVEL,否则STATUS_INVALID_DEVICE_REQUEST/STATUS_INVALID_DEVICE_STATE。
This page is grounded in the actual src/wknetlib/ implementation.
HTTP/1.1: Content-Length, library-generated chunked, streaming request bodies (BodyCreateStream / RequestSetBodySource), chunked request trailers (BodyAddTrailer / RequestAddTrailer), explicit Expect: 100-continue, opt-in TRACE, Range/conditional helpers, HTTPS CONNECT proxy, plaintext proxy absolute-form targets, opt-in pipelining, strict response framing, and fail-closed content decoding.
HTTP/2: preface and SETTINGS validation, CONTINUATION flood guards, active-stream routing, pooled multi-stream reuse, connection and stream flow control, streaming DATA, request trailers, explicit priority, opt-in PING keepalive, GOAWAY/RST retry semantics, RFC 8441, TLS ALPN, and explicit h2c prior-knowledge/Upgrade through SendOptions.Http2CleartextMode.
WebSocket: handshake with constant-time accept comparison, caller-supplied opening headers with controlled-header rejection, explicit opt-in permessage-deflate (off by default; unrequested/unknown/invalid extensions rejected), subprotocol negotiation; HTTP/1.1 client frames are masked, RFC 8441 over HTTP/2 frames are unmasked as required (masked server frame → 1002); high-level and low-level wss default to automatic RFC 8441 selection by offering h2,http/1.1 (use Http11Only to force HTTP/1.1; ws:// does not implicitly use h2c); fragment send (wknet::websocket::SendContinuation + FinalFragment) with incremental cross-fragment UTF-8 validation; default aggregated whole-message receive or explicit wire-fragment delivery via ReceiveOptions.DeliverFragments=true and ReceiveOptions.OnMessage; auto-Pong (toggleable), ≤100 control frames per receive (1008), UTF-8 validation (1007), max-message (1009); active and passive close handshakes; opening-handshake 3xx/401/407 returns STATUS_NOT_SUPPORTED rather than following redirect/auth challenges.
TLS 1.2/1.3: single-version path (no in-handshake fallback — failures classified as VersionNegotiation for an explicit caller retry at 1.2); cipher/group/sig split into default / optional / legacy; TLS1.2 enforces EMS + secure-reneg indication + Encrypt-then-MAC for CBC; TLS1.3 HelloRetryRequest, reactive-only KeyUpdate, NewSessionTicket, record padding, signature_algorithms_cert, OCSP stapling parse; resumption bound to policy identity + SNI + ALPN + cipher + version. Certificate validation (on an expanded kernel stack): chain ≤8 with bounded candidate path search, subject/issuer plus AKI/SKI matching, cross-signed intermediates, signature/validity/basic-constraints/pathLen/KU/EKU/name-constraints/cert-policies/trust-anchor; rejects duplicate and unknown-critical extensions; hostname match with single-label wildcard, IP literals match iPAddress SAN only, never falls back to CN; revocation is offline + evidence-driven through stapled OCSP, static entries, or provider callback, validates OCSP/CRL DER signatures, issuer/serial, thisUpdate/nextUpdate, and status, and fails closed when required-but-absent or invalid; SPKI pinning (fail-open for un-pinned hosts); mTLS via caller Sign callback (private key never enters the library). Crypto: ChaCha20-Poly1305/AES-CCM/X25519/X448/FFDHE/Ed25519/Ed448 verification are in-kernel software; min RSA modulus 2048.
| Capability | How it is enabled |
|---|---|
Expect: 100-continue |
SendFlagExpectContinue |
| HTTP/1.1 pipelining | Session EnableHttp11Pipeline=true; Http11PipelineMaxDepth / Http11PipelineMethodMask are configurable and default eligibility is GET/HEAD/OPTIONS
|
| h2c prior knowledge / Upgrade | SendOptions.Http2CleartextMode |
| HTTP/2 background PING keepalive | Session Http2KeepAlive.Enabled=true
|
| HTTP/2 per-request priority | SendOptions.Http2Priority |
| WebSocket permessage-deflate | ConnectConfig.PerMessageDeflate.Enable=true |
| TLS 1.2 RSA-kx / CBC / SHA-1 |
TlsPolicy.Profile=CompatibilityExplicit plus the matching compatibility switch |
| TLS 1.2 true renegotiation |
CompatibilityExplicit + EnableTls12Renegotiation, limited by MaxTls12Renegotiations
|
| TLS 1.3 0-RTT |
EnableEarlyData + EarlyDataReplaySafe, with a ticket that advertises max_early_data_size
|
| TLS 1.3 post-handshake client auth |
EnablePostHandshakeClientAuth; signatures use the mTLS callback and private keys never enter the library |
| Hard revocation requirement |
RequireRevocationCheck; missing verifiable OCSP/CRL DER evidence fails closed |
These are deliberate security or protocol choices, not missing implementation.
| Behavior | Handling |
|---|---|
Caller-supplied request Transfer-Encoding / TE
|
Rejected; request framing is generated and validated by the library |
| HTTP/1.1 request trailers | Allowed only on the chunked request path |
HTTP br Transfer-Encoding |
Rejected; br is supported only as Content-Encoding
|
HTTP/2 PUSH_PROMISE
|
Server push is disabled and treated as a protocol error |
| Unexpected WebSocket extensions | Rejected; permessage-deflate is used only after explicit opt-in and successful negotiation |
| WebSocket handshake redirect / 401 / 407 | Not followed automatically; returns STATUS_NOT_SUPPORTED
|
| TLS 1.3 to TLS 1.2 | No in-handshake automatic fallback; only verified version-negotiation evidence allows an explicit caller retry at 1.2 |
| Certificate hostname matching | IP literals match iPAddress SAN only; DNS names never fall back to CN |
| HTTPS redirect to HTTP | Rejected by default |
| RFC 9111 cache | Explicit in-memory kernel cache API; supports fresh hits, validation, Vary, private/shared rules, unsafe-method invalidation, and Range/206 partial combining |
These capabilities are not provided today. Capabilities that are implemented but off by default are listed only in the previous section.
| Capability | Current conclusion |
|---|---|
| HTTP inbound request parser / server role | Non-goal; this project is a client protocol stack |
| Persistent on-disk HTTP cache | Non-goal; RFC 9111 cache is an explicit in-memory NonPaged object and is not persisted across reboot |
| Complex local HTTP/2 priority-tree scheduling | Non-goal; no local dependency tree or bandwidth scheduler is maintained |
WebSocket extensions other than permessage-deflate
|
Non-goal; no other extensions are negotiated |
| Online OCSP/CRL fetching | Non-goal; callers provide external trust/certificate/revocation data or cached entries |
| HTTP/3 / QUIC | Non-goal |
- The transport main path uses WSK; TLS, HTTP, and certificate validation are implemented in the kernel path.
- Cryptography uses kernel-mode CNG/BCrypt first. ChaCha20-Poly1305, AES-CCM, X25519, X448, FFDHE, and Ed25519/Ed448 verification are filled in by in-kernel software implementations.
- WinHTTP, WinINet, and SChannel are not used as the kernel main path.
- The library does not hard-code system CAs; callers explicitly provide trust anchors, CA bundles, revocation cache entries, and pins.
See Roadmap.
-
开始使用 / Get Started
-
概念与行为 / Concepts
-
协议指南 / Protocols
-
API 参考 / API Reference
-
贡献与项目 / Contribute